Setup Chrony server on bastion node (ocp-power-automation#39)

Fixes ocp-power-automation#38 Signed-off-by: Sebastien Chabrolles <[email protected]>
schabrolles · Aug 6, 2020 · 54a781e · 54a781e
1 parent d9ed193
commit 54a781e
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 54 deletions.
diff --git a/playbooks/roles/ocp-config/README.md b/playbooks/roles/ocp-config/README.md
@@ -25,8 +25,9 @@ Role Variables
 | proxy_url               | no       | ""             | Proxy url eg: http://[user:passwd@]server:port (NA when setup_squid_proxy: true)|
 | no_proxy                | no       | ""             | Comma seperated string of domains/cidr to exclude proxy |
 | enable_local_registry   | no       | false          | Set to true to enable usage of local registry for restricted network install |
-| chronyconfig.enabled    | no       | flase          | Set to true to enable chrony configuration on the coreOS node during install |
-| chronyconfig.content    | no       | ""             | List of time servers and options pair (see chronyconfig examples) |
+| chronyconfig.enabled    | no       | true           | Set to true to enable chrony configuration on the bastion node during installation. This also configure the bastion as a NTP server for the cluster. |
+| chronyconfig.content    | no       | ""             | List of time NTP servers and options pair (see chronyconfig examples). If empty, bastion will try sync with some default ntp server (internet) AND local HW clock (with higher stratum). |
+| chronyconfig.allow      | no       | ""             | List of network cidr (X.X.X.X/Y) allowed to sync with bastion configured as NTP server |
 
 *chronyconfig variable example *
 
@@ -38,6 +39,9 @@ chronyconfig:
        options: iburst
      - server: ntp2.example.com
        options: iburst
+    allow:
+      - 10.1.1.1/24
+      - 10.1.2.3/16
 ```
 
 Dependencies

diff --git a/playbooks/roles/ocp-config/defaults/main/main.yaml b/playbooks/roles/ocp-config/defaults/main/main.yaml
@@ -9,4 +9,4 @@ no_proxy: ""
 enable_local_registry: false
 
 chronyconfig:
-   enabled: false
+   enabled: true
diff --git a/playbooks/roles/ocp-config/handlers/main.yaml b/playbooks/roles/ocp-config/handlers/main.yaml
@@ -9,3 +9,8 @@
   service:
     name: firewalld
     state: restarted
+
+- name: restart chrony
+  service:
+    name: chronyd
+    state: restarted
diff --git a/playbooks/roles/ocp-config/tasks/chrony.yaml b/playbooks/roles/ocp-config/tasks/chrony.yaml
@@ -1,17 +1,72 @@
-- name: Create temporary chrony.conf file
-  template:
-    src: chrony.conf.j2
-    dest: /tmp/chrony.conf.tmp
+- name: Install chrony on bastion
+  yum:
+    name: chrony
+    state: present
 
-- name: slurp contents of temporary chrony.conf file
-  slurp:
-    src: /tmp/chrony.conf.tmp
-  register: chronybase64
+- name: Open NTP port on firewall
+  firewalld:
+      service: ntp
+      permanent: yes
+      immediate: yes
+      state: enabled
 
-- name: Generate Chrony machineconfig
-  template:
-    src: chrony-machineconfig.j2
-    dest: "{{ workdir }}/manifests/99-{{item}}-chrony-configuration.yaml"
-  loop: 
-    - master
-    - worker
+- name: Configure chrony to synchronize with ntp servers
+  lineinfile:
+    path: /etc/chrony.conf
+    regexp: '^server {{ item.server }} '
+    state: present
+    line: "server {{ item.server }} {{ item.options | default('iburst') }}"
+    insertafter: 'server '
+    backup: yes
+  loop: "{{ chronyconfig.content }}"
+  when:
+    - chronyconfig.content is defined
+    - chronyconfig.content[0].server is defined
+  notify:
+    - restart chrony
+
+- name: Remove Chrony default pool when ntp server are used
+  lineinfile:
+    path: /etc/chrony.conf
+    regexp: '^pool .*\.rhel\.pool\.ntp\.org'
+    state: absent
+    backup: yes
+  when:
+    - chronyconfig.content is defined
+    - chronyconfig.content[0].server is defined
+  notify:
+    - restart chrony
+
+- name: Allow local stratum in chrony.conf on bastion
+  lineinfile:
+    path: /etc/chrony.conf
+    regexp: '^local stratum'
+    state: present
+    line: "local stratum 10"
+    insertafter: '^#local stratum'
+    backup: yes
+  notify:
+    - restart chrony
+
+- name: Allow Cluster Network in chrony.conf on bastion
+  lineinfile:
+    path: /etc/chrony.conf
+    regexp: '^allow'
+    state: present
+    line: "allow {{ item }}"
+    insertafter: '^#allow'
+    backup: yes
+  loop: "{{ chronyconfig.allow }}"
+  when:
+    - chronyconfig.allow is defined
+    - chronyconfig.allow[0] is defined
+  notify:
+    - restart chrony
+
+- name: Copy machineconfig files generated from helpernode
+  copy:
+    src: "{{ item }}"
+    dest: "{{ workdir }}/manifests" 
+    remote_src: yes
+  with_fileglob:
+    - "../../ocp4-helpernode/machineconfig/*-chrony-configuration.yaml"
diff --git a/playbooks/roles/ocp-config/tasks/main.yaml b/playbooks/roles/ocp-config/tasks/main.yaml
@@ -5,12 +5,10 @@
   import_tasks: squid.yaml
   when: setup_squid_proxy
 
-
 - name: Extract OCP4 tools
   import_tasks: extract.yaml
   when: release_image_override != ""
 
-
 - name: Skip config if install workdir exist
   stat:
     path: "{{ workdir }}"
@@ -28,7 +26,6 @@
 #  - absent
   - directory
 
-
 - name: Generate install-config.yaml
   template:
     src: ../templates/install-config.yaml.j2
@@ -61,7 +58,7 @@
     line: '\1mastersSchedulable: False'
     backrefs: yes
 
-- name: Create Chrony machineconfig files for coreOS
+- name: Setup time synchronisation with Chrony
   import_tasks: chrony.yaml
   when: chronyconfig.enabled
 

diff --git a/playbooks/roles/ocp-config/templates/chrony-machineconfig.j2 b/playbooks/roles/ocp-config/templates/chrony-machineconfig.j2
diff --git a/playbooks/roles/ocp-config/templates/chrony.conf.j2 b/playbooks/roles/ocp-config/templates/chrony.conf.j2